Repository: ambari Updated Branches: refs/heads/branch-2.1 68e9b6d05 -> 87b4a3293 refs/heads/trunk 5becb314e -> d855386b9
AMBARI-14101. Post Upgrade: After upgrade oozie and hive server failing to come up. (dlysnichenko) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/d855386b Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/d855386b Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/d855386b Branch: refs/heads/trunk Commit: d855386b9798ef9c5a8669498b6b9c853b45edce Parents: 5becb31 Author: Lisnichenko Dmitro <[email protected]> Authored: Fri Nov 27 18:14:58 2015 +0200 Committer: Lisnichenko Dmitro <[email protected]> Committed: Fri Nov 27 18:14:58 2015 +0200 ---------------------------------------------------------------------- .../server/upgrade/AbstractUpgradeCatalog.java | 85 ++ .../server/upgrade/UpgradeCatalog210.java | 74 +- .../server/upgrade/UpgradeCatalog213.java | 52 +- .../server/upgrade/UpgradeCatalog210Test.java | 2 +- .../server/upgrade/UpgradeCatalog213Test.java | 79 +- .../test_kerberos_descriptor_2_1_3.json | 1316 ++++++++++++++++++ 6 files changed, 1505 insertions(+), 103 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/d855386b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/AbstractUpgradeCatalog.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/AbstractUpgradeCatalog.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/AbstractUpgradeCatalog.java index ddc431d..7cbdd33 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/AbstractUpgradeCatalog.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/AbstractUpgradeCatalog.java @@ -28,7 +28,9 @@ import org.apache.ambari.server.configuration.Configuration.DatabaseType; import org.apache.ambari.server.controller.AmbariManagementController; import org.apache.ambari.server.controller.ConfigurationRequest; import org.apache.ambari.server.orm.DBAccessor; +import org.apache.ambari.server.orm.dao.ArtifactDAO; import org.apache.ambari.server.orm.dao.MetainfoDAO; +import org.apache.ambari.server.orm.entities.ArtifactEntity; import org.apache.ambari.server.orm.entities.MetainfoEntity; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; @@ -36,6 +38,9 @@ import org.apache.ambari.server.state.Config; import org.apache.ambari.server.state.ConfigHelper; import org.apache.ambari.server.state.PropertyInfo; import org.apache.ambari.server.state.ServiceInfo; +import org.apache.ambari.server.state.kerberos.AbstractKerberosDescriptorContainer; +import org.apache.ambari.server.state.kerberos.KerberosIdentityDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor; import org.apache.ambari.server.utils.VersionUtils; import org.apache.commons.lang.StringUtils; import org.slf4j.Logger; @@ -554,6 +559,86 @@ public abstract class AbstractUpgradeCatalog implements UpgradeCatalog { return properties; } + /** + * Iterates through a collection of AbstractKerberosDescriptorContainers to find and update + * identity descriptor references. + * + * @param descriptorMap a String to AbstractKerberosDescriptorContainer map to iterate trough + * @param referenceName the reference name to change + * @param newReferenceName the new reference name + */ + protected void updateKerberosDescriptorIdentityReferences(Map<String, ? extends AbstractKerberosDescriptorContainer> descriptorMap, + String referenceName, + String newReferenceName) { + if (descriptorMap != null) { + for (AbstractKerberosDescriptorContainer kerberosServiceDescriptor : descriptorMap.values()) { + updateKerberosDescriptorIdentityReferences(kerberosServiceDescriptor, referenceName, newReferenceName); + + if (kerberosServiceDescriptor instanceof KerberosServiceDescriptor) { + updateKerberosDescriptorIdentityReferences(((KerberosServiceDescriptor) kerberosServiceDescriptor).getComponents(), + referenceName, newReferenceName); + } + } + } + } + + /** + * Given an AbstractKerberosDescriptorContainer, iterates through its contained identity descriptors + * to find ones matching the reference name to change. + * <p/> + * If found, the reference name is updated to the new name. + * + * @param descriptorContainer the AbstractKerberosDescriptorContainer to update + * @param referenceName the reference name to change + * @param newReferenceName the new reference name + */ + protected void updateKerberosDescriptorIdentityReferences(AbstractKerberosDescriptorContainer descriptorContainer, + String referenceName, + String newReferenceName) { + if (descriptorContainer != null) { + KerberosIdentityDescriptor identity = descriptorContainer.getIdentity(referenceName); + if (identity != null) { + identity.setName(newReferenceName); + } + } + } + + /** + * Update the stored Kerberos Descriptor artifacts to conform to the new structure. + * <p/> + * Finds the relevant artifact entities and iterates through them to process each independently. + */ + protected void updateKerberosDescriptorArtifacts() throws AmbariException { + ArtifactDAO artifactDAO = injector.getInstance(ArtifactDAO.class); + List<ArtifactEntity> artifactEntities = artifactDAO.findByName("kerberos_descriptor"); + + if (artifactEntities != null) { + for (ArtifactEntity artifactEntity : artifactEntities) { + updateKerberosDescriptorArtifact(artifactDAO, artifactEntity); + } + } + } + + + + /** + * Update the specified Kerberos Descriptor artifact to conform to the new structure. + * <p/> + * On ambari version update some of identities can be moved between scopes(e.g. from service to component), so + * old identity need to be moved to proper place and all references for moved identity need to be updated. + * <p/> + * By default descriptor remains unchanged and this method must be overridden in child UpgradeCatalog to meet new + * ambari version changes in kerberos descriptors. + * <p/> + * The supplied ArtifactEntity is updated in place a merged back into the database. + * + * @param artifactDAO the ArtifactDAO to use to store the updated ArtifactEntity + * @param artifactEntity the ArtifactEntity to update + */ + protected void updateKerberosDescriptorArtifact(ArtifactDAO artifactDAO, ArtifactEntity artifactEntity) throws AmbariException { + // NOOP + } + @Override public void upgradeSchema() throws AmbariException, SQLException { DatabaseType databaseType = configuration.getDatabaseType(); http://git-wip-us.apache.org/repos/asf/ambari/blob/d855386b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog210.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog210.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog210.java index 2717993..7940e02 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog210.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog210.java @@ -1007,36 +1007,10 @@ public class UpgradeCatalog210 extends AbstractUpgradeCatalog { updateKerberosDescriptorArtifacts(); } - /** - * Update the stored Kerberos Descriptor artifacts to conform to the new structure. - * <p/> - * Finds the relevant artifact entities and iterates through them to process each independently. - */ - protected void updateKerberosDescriptorArtifacts() throws AmbariException { - ArtifactDAO artifactDAO = injector.getInstance(ArtifactDAO.class); - List<ArtifactEntity> artifactEntities = artifactDAO.findByName("kerberos_descriptor"); - - if (artifactEntities != null) { - for (ArtifactEntity artifactEntity : artifactEntities) { - updateKerberosDescriptorArtifact(artifactDAO, artifactEntity); - } - } - } - - /** - * Update the specified Kerberos Descriptor artifact to conform to the new structure. - * <p/> - * To conform to the new Kerberos Descriptor structure, the global "hdfs" identity (if exists) - * must be moved to the set of identities under the HDFS service. If no HDFS service exists, one - * is created to hold only the "hdfs" identity descriptor. Then, any identity descriptor references - * to "/hdfs" must be changed to "/HDFS/hdfs" to point to the moved "hdfs" identity descriptor. - * <p/> - * The supplied ArtifactEntity is updated in place a merged back into the database. - * - * @param artifactDAO the ArtifactDAO to use to store the updated ArtifactEntity - * @param artifactEntity the ArtifactEntity to update + * {@inheritDoc} */ + @Override protected void updateKerberosDescriptorArtifact(ArtifactDAO artifactDAO, ArtifactEntity artifactEntity) throws AmbariException { if (artifactEntity != null) { Map<String, Object> data = artifactEntity.getArtifactData(); @@ -1088,50 +1062,6 @@ public class UpgradeCatalog210 extends AbstractUpgradeCatalog { } /** - * Iterates through a collection of AbstractKerberosDescriptorContainers to find and update - * identity descriptor references. - * - * @param descriptorMap a String to AbstractKerberosDescriptorContainer map to iterate trough - * @param referenceName the reference name to change - * @param newReferenceName the new reference name - */ - private void updateKerberosDescriptorIdentityReferences(Map<String, ? extends AbstractKerberosDescriptorContainer> descriptorMap, - String referenceName, - String newReferenceName) { - if (descriptorMap != null) { - for (AbstractKerberosDescriptorContainer kerberosServiceDescriptor : descriptorMap.values()) { - updateKerberosDescriptorIdentityReferences(kerberosServiceDescriptor, referenceName, newReferenceName); - - if (kerberosServiceDescriptor instanceof KerberosServiceDescriptor) { - updateKerberosDescriptorIdentityReferences(((KerberosServiceDescriptor) kerberosServiceDescriptor).getComponents(), - referenceName, newReferenceName); - } - } - } - } - - /** - * Given an AbstractKerberosDescriptorContainer, iterates through its contained identity descriptors - * to find ones matching the reference name to change. - * <p/> - * If found, the reference name is updated to the new name. - * - * @param descriptorContainer the AbstractKerberosDescriptorContainer to update - * @param referenceName the reference name to change - * @param newReferenceName the new reference name - */ - private void updateKerberosDescriptorIdentityReferences(AbstractKerberosDescriptorContainer descriptorContainer, - String referenceName, - String newReferenceName) { - if (descriptorContainer != null) { - KerberosIdentityDescriptor identity = descriptorContainer.getIdentity(referenceName); - if (identity != null) { - identity.setName(newReferenceName); - } - } - } - - /** * Delete STORM_REST_API component if HDP is upgraded past 2.2 and the * Component still exists. */ http://git-wip-us.apache.org/repos/asf/ambari/blob/d855386b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog213.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog213.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog213.java index df681fa..a070935 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog213.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog213.java @@ -29,22 +29,8 @@ import org.apache.ambari.server.configuration.Configuration; import org.apache.ambari.server.controller.AmbariManagementController; import org.apache.ambari.server.orm.DBAccessor; import org.apache.ambari.server.orm.DBAccessor.DBColumnInfo; -import org.apache.ambari.server.orm.dao.AlertDefinitionDAO; -import org.apache.ambari.server.orm.dao.ClusterDAO; -import org.apache.ambari.server.orm.dao.ClusterVersionDAO; -import org.apache.ambari.server.orm.dao.DaoUtils; -import org.apache.ambari.server.orm.dao.HostVersionDAO; -import org.apache.ambari.server.orm.dao.RepositoryVersionDAO; -import org.apache.ambari.server.orm.dao.StackDAO; -import org.apache.ambari.server.orm.dao.UpgradeDAO; -import org.apache.ambari.server.orm.entities.AlertDefinitionEntity; -import org.apache.ambari.server.orm.entities.ClusterEntity; -import org.apache.ambari.server.orm.entities.ClusterVersionEntity; -import org.apache.ambari.server.orm.entities.HostEntity; -import org.apache.ambari.server.orm.entities.HostVersionEntity; -import org.apache.ambari.server.orm.entities.RepositoryVersionEntity; -import org.apache.ambari.server.orm.entities.StackEntity; -import org.apache.ambari.server.orm.entities.UpgradeEntity; +import org.apache.ambari.server.orm.dao.*; +import org.apache.ambari.server.orm.entities.*; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; import org.apache.ambari.server.state.Config; @@ -53,6 +39,7 @@ import org.apache.ambari.server.state.SecurityType; import org.apache.ambari.server.state.StackId; import org.apache.ambari.server.state.StackInfo; import org.apache.ambari.server.state.alert.SourceType; +import org.apache.ambari.server.state.kerberos.*; import org.apache.ambari.server.state.stack.upgrade.Direction; import org.apache.ambari.server.state.stack.upgrade.RepositoryVersionHelper; import org.apache.ambari.server.state.stack.upgrade.UpgradeType; @@ -313,6 +300,7 @@ public class UpgradeCatalog213 extends AbstractUpgradeCatalog { updateZookeeperLog4j(); updateHiveConfig(); updateAccumuloConfigs(); + updateKerberosDescriptorArtifacts(); updateKnoxTopology(); } @@ -612,6 +600,38 @@ public class UpgradeCatalog213 extends AbstractUpgradeCatalog { } /** + * {@inheritDoc} + */ + @Override + protected void updateKerberosDescriptorArtifact(ArtifactDAO artifactDAO, ArtifactEntity artifactEntity) throws AmbariException { + if (artifactEntity != null) { + Map<String, Object> data = artifactEntity.getArtifactData(); + + if (data != null) { + final KerberosDescriptor kerberosDescriptor = new KerberosDescriptorFactory().createInstance(data); + + if (kerberosDescriptor != null) { + KerberosServiceDescriptor hdfsService = kerberosDescriptor.getService("HDFS"); + if(hdfsService != null) { + // before 2.1.3 hdfs indentity expected to be in HDFS service + KerberosIdentityDescriptor hdfsIdentity = hdfsService.getIdentity("hdfs"); + KerberosComponentDescriptor namenodeComponent = hdfsService.getComponent("NAMENODE"); + hdfsIdentity.setName("hdfs"); + hdfsService.removeIdentity("hdfs"); + namenodeComponent.putIdentity(hdfsIdentity); + } + updateKerberosDescriptorIdentityReferences(kerberosDescriptor, "/HDFS/hdfs", "/HDFS/NAMENODE/hdfs"); + updateKerberosDescriptorIdentityReferences(kerberosDescriptor.getServices(), "/HDFS/hdfs", "/HDFS/NAMENODE/hdfs"); + + artifactEntity.setArtifactData(kerberosDescriptor.toMap()); + artifactDAO.merge(artifactEntity); + } + } + } + } + + /** + * If still on HDP 2.1, then no repo versions exist, so need to bootstrap the HDP 2.1 repo version, * If still on HDP 2.1, then no repo versions exist, so need to bootstrap the HDP 2.1 repo version, * and mark it as CURRENT in the cluster_version table for the cluster, as well as the host_version table * for all hosts. http://git-wip-us.apache.org/repos/asf/ambari/blob/d855386b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog210Test.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog210Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog210Test.java index c2889fe..83018a2 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog210Test.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog210Test.java @@ -216,7 +216,7 @@ public class UpgradeCatalog210Test { UpgradeCatalog210.class.getDeclaredMethod("removeStormRestApiServiceComponent"); Method updateKerberosDescriptorArtifacts = - UpgradeCatalog210.class.getDeclaredMethod("updateKerberosDescriptorArtifacts"); + AbstractUpgradeCatalog.class.getDeclaredMethod("updateKerberosDescriptorArtifacts"); UpgradeCatalog210 upgradeCatalog210 = createMockBuilder(UpgradeCatalog210.class) .addMockedMethod(addNewConfigurationsFromXml) http://git-wip-us.apache.org/repos/asf/ambari/blob/d855386b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog213Test.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog213Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog213Test.java index 071cb69..d8e7267 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog213Test.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog213Test.java @@ -40,20 +40,8 @@ import org.apache.ambari.server.controller.MaintenanceStateHelper; import org.apache.ambari.server.orm.DBAccessor; import org.apache.ambari.server.orm.GuiceJpaInitializer; import org.apache.ambari.server.orm.InMemoryDefaultTestModule; -import org.apache.ambari.server.orm.dao.AlertDefinitionDAO; -import org.apache.ambari.server.orm.dao.ClusterDAO; -import org.apache.ambari.server.orm.dao.ClusterVersionDAO; -import org.apache.ambari.server.orm.dao.DaoUtils; -import org.apache.ambari.server.orm.dao.HostVersionDAO; -import org.apache.ambari.server.orm.dao.RepositoryVersionDAO; -import org.apache.ambari.server.orm.dao.StackDAO; -import org.apache.ambari.server.orm.entities.AlertDefinitionEntity; -import org.apache.ambari.server.orm.entities.ClusterEntity; -import org.apache.ambari.server.orm.entities.ClusterVersionEntity; -import org.apache.ambari.server.orm.entities.HostEntity; -import org.apache.ambari.server.orm.entities.HostVersionEntity; -import org.apache.ambari.server.orm.entities.RepositoryVersionEntity; -import org.apache.ambari.server.orm.entities.StackEntity; +import org.apache.ambari.server.orm.dao.*; +import org.apache.ambari.server.orm.entities.*; import org.apache.ambari.server.stack.StackManagerFactory; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; @@ -64,6 +52,7 @@ import org.apache.ambari.server.state.SecurityType; import org.apache.ambari.server.state.Service; import org.apache.ambari.server.state.StackId; import org.apache.ambari.server.state.StackInfo; +import org.apache.ambari.server.state.kerberos.*; import org.apache.ambari.server.state.stack.OsFamily; import org.apache.ambari.server.state.stack.upgrade.RepositoryVersionHelper; import org.easymock.Capture; @@ -76,8 +65,10 @@ import org.junit.Before; import org.junit.Test; import javax.persistence.EntityManager; +import java.io.File; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; +import java.net.URL; import java.sql.SQLException; import java.util.ArrayList; import java.util.Collection; @@ -100,6 +91,8 @@ import static org.easymock.EasyMock.reset; import static org.easymock.EasyMock.verify; import static org.junit.Assert.assertTrue; +import static junit.framework.Assert.assertNotNull; +import static junit.framework.Assert.assertNull; /** * {@link org.apache.ambari.server.upgrade.UpgradeCatalog213} unit tests. */ @@ -237,6 +230,7 @@ public class UpgradeCatalog213Test { Method updateRangerEnvConfig = UpgradeCatalog213.class.getDeclaredMethod("updateRangerEnvConfig"); Method updateHiveConfig = UpgradeCatalog213.class.getDeclaredMethod("updateHiveConfig"); Method updateAccumuloConfigs = UpgradeCatalog213.class.getDeclaredMethod("updateAccumuloConfigs"); + Method updateKerberosDescriptorArtifacts = AbstractUpgradeCatalog.class.getDeclaredMethod("updateKerberosDescriptorArtifacts"); Method updateKnoxTopology = UpgradeCatalog213.class.getDeclaredMethod("updateKnoxTopology"); UpgradeCatalog213 upgradeCatalog213 = createMockBuilder(UpgradeCatalog213.class) @@ -253,6 +247,7 @@ public class UpgradeCatalog213Test { .addMockedMethod(updateRangerEnvConfig) .addMockedMethod(updateHiveConfig) .addMockedMethod(updateAccumuloConfigs) + .addMockedMethod(updateKerberosDescriptorArtifacts) .addMockedMethod(updateKnoxTopology) .createMock(); @@ -283,6 +278,8 @@ public class UpgradeCatalog213Test { expectLastCall().once(); upgradeCatalog213.updateKnoxTopology(); expectLastCall().once(); + upgradeCatalog213.updateKerberosDescriptorArtifacts(); + expectLastCall().once(); replay(upgradeCatalog213); @@ -454,6 +451,60 @@ public class UpgradeCatalog213Test { } @Test + public void testUpdateKerberosDescriptorArtifact() throws Exception { + final KerberosDescriptorFactory kerberosDescriptorFactory = new KerberosDescriptorFactory(); + + KerberosServiceDescriptor serviceDescriptor; + + URL systemResourceURL = ClassLoader.getSystemResource("kerberos/test_kerberos_descriptor_2_1_3.json"); + assertNotNull(systemResourceURL); + + final KerberosDescriptor kerberosDescriptorOrig = kerberosDescriptorFactory.createInstance(new File(systemResourceURL.getFile())); + assertNotNull(kerberosDescriptorOrig); + + serviceDescriptor = kerberosDescriptorOrig.getService("HDFS"); + assertNotNull(serviceDescriptor); + assertNotNull(serviceDescriptor.getIdentity("hdfs")); + + serviceDescriptor = kerberosDescriptorOrig.getService("OOZIE"); + assertNotNull(serviceDescriptor); + assertNotNull(serviceDescriptor.getIdentity("/HDFS/hdfs")); + + UpgradeCatalog213 upgradeMock = createMockBuilder(UpgradeCatalog213.class).createMock(); + + Capture<Map<String, Object>> updatedData = new Capture<Map<String, Object>>(); + + ArtifactEntity artifactEntity = createNiceMock(ArtifactEntity.class); + expect(artifactEntity.getArtifactData()) + .andReturn(kerberosDescriptorOrig.toMap()) + .once(); + + artifactEntity.setArtifactData(capture(updatedData)); + expectLastCall().once(); + + replay(artifactEntity, upgradeMock); + upgradeMock.updateKerberosDescriptorArtifact(createNiceMock(ArtifactDAO.class), artifactEntity); + verify(artifactEntity, upgradeMock); + + KerberosDescriptor kerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updatedData.getValue()); + assertNotNull(kerberosDescriptorUpdated); + + serviceDescriptor = kerberosDescriptorUpdated.getService("HDFS"); + assertNotNull(serviceDescriptor); + assertNull(serviceDescriptor.getIdentity("hdfs")); + + KerberosComponentDescriptor namenodeComponent = serviceDescriptor.getComponent("NAMENODE"); + assertNotNull(namenodeComponent.getIdentity("hdfs")); + + serviceDescriptor = kerberosDescriptorUpdated.getService("OOZIE"); + assertNotNull(serviceDescriptor); + assertNull(serviceDescriptor.getIdentity("/HDFS/hdfs")); + assertNotNull(serviceDescriptor.getIdentity("/HDFS/NAMENODE/hdfs")); + } + + + + @Test public void testUpdateHbaseEnvConfig() throws AmbariException { EasyMockSupport easyMockSupport = new EasyMockSupport(); final AmbariManagementController mockAmbariManagementController = easyMockSupport.createNiceMock(AmbariManagementController.class); http://git-wip-us.apache.org/repos/asf/ambari/blob/d855386b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_1_3.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_1_3.json b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_1_3.json new file mode 100644 index 0000000..3b4dff4 --- /dev/null +++ b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_1_3.json @@ -0,0 +1,1316 @@ +{ + "identities": [{ + "principal": { + "type": "service", + "value": "HTTP/_HOST@${realm}" + }, + "name": "spnego", + "keytab": { + "owner": { + "access": "r", + "name": "root" + }, + "file": "${keytab_dir}/spnego.service.keytab", + "group": { + "access": "r", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "cluster-env/smokeuser_principal_name", + "type": "user", + "local_username": "${cluster-env/smokeuser}", + "value": "${cluster-env/smokeuser}-${cluster_name}@${realm}" + }, + "name": "smokeuser", + "keytab": { + "owner": { + "access": "r", + "name": "${cluster-env/smokeuser}" + }, + "file": "${keytab_dir}/smokeuser.headless.keytab", + "configuration": "cluster-env/smokeuser_keytab", + "group": { + "access": "r", + "name": "${cluster-env/user_group}" + } + } + }], + "services": [{ + "components": [{ + "name": "MAHOUT" + }], + "identities": [{ + "name": "/smokeuser" + }, { + "name": "/HDFS/hdfs" + }], + "name": "MAHOUT" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "mapred-site/mapreduce.jobhistory.principal", + "type": "service", + "local_username": "${mapred-env/mapred_user}", + "value": "jhs/_HOST@${realm}" + }, + "name": "history_server_jhs", + "keytab": { + "owner": { + "access": "r", + "name": "${mapred-env/mapred_user}" + }, + "file": "${keytab_dir}/jhs.service.keytab", + "configuration": "mapred-site/mapreduce.jobhistory.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-principal", + "type": "service", + "value": "HTTP/_HOST@${realm}" + }, + "name": "/spnego", + "keytab": { + "owner": {}, + "file": "${keytab_dir}/spnego.service.keytab", + "configuration": "mapred-site/mapreduce.jobhistory.webapp.spnego-keytab-file", + "group": {} + } + }], + "name": "HISTORYSERVER" + }], + "identities": [{ + "name": "/spnego" + }, { + "name": "/HDFS/hdfs" + }, { + "name": "/smokeuser" + }], + "name": "MAPREDUCE2" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "oozie-site/oozie.service.HadoopAccessorService.kerberos.principal", + "type": "service", + "local_username": "${oozie-env/oozie_user}", + "value": "oozie/_HOST@${realm}" + }, + "name": "oozie_server", + "keytab": { + "owner": { + "access": "r", + "name": "${oozie-env/oozie_user}" + }, + "file": "${keytab_dir}/oozie.service.keytab", + "configuration": "oozie-site/oozie.service.HadoopAccessorService.keytab.file", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "oozie-site/oozie.authentication.kerberos.principal", + "type": "service" + }, + "name": "/spnego", + "keytab": { + "owner": {}, + "configuration": "oozie-site/oozie.authentication.kerberos.keytab", + "group": {} + } + }], + "name": "OOZIE_SERVER" + }], + "identities": [{ + "name": "/spnego" + }, { + "name": "/smokeuser" + }, { + "name": "/HDFS/hdfs" + }], + "auth_to_local_properties": [ + "oozie-site/oozie.authentication.kerberos.name.rules" + ], + "configurations": [{ + "oozie-site": { + "oozie.service.HadoopAccessorService.kerberos.enabled": "true", + "oozie.authentication.type": "kerberos", + "oozie.service.AuthorizationService.authorization.enabled": "true", + "local.realm": "${realm}", + "oozie.credentials.credentialclasses": "hcat=org.apache.oozie.action.hadoop.HCatCredentials,hive2=org.apache.oozie.action.hadoop.Hive2Credentials" + } + }], + "name": "OOZIE" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.principal", + "type": "service", + "local_username": "${hadoop-env/hdfs_user}", + "value": "nn/_HOST@${realm}" + }, + "name": "secondary_namenode_nn", + "keytab": { + "owner": { + "access": "r", + "name": "${hadoop-env/hdfs_user}" + }, + "file": "${keytab_dir}/nn.service.keytab", + "configuration": "hdfs-site/dfs.secondary.namenode.keytab.file", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal", + "type": "service", + "value": "HTTP/_HOST@${realm}" + }, + "name": "/spnego" + }], + "name": "SECONDARY_NAMENODE" + }, { + "identities": [{ + "principal": { + "configuration": "hdfs-site/dfs.datanode.kerberos.principal", + "type": "service", + "local_username": "${hadoop-env/hdfs_user}", + "value": "dn/_HOST@${realm}" + }, + "name": "datanode_dn", + "keytab": { + "owner": { + "access": "r", + "name": "${hadoop-env/hdfs_user}" + }, + "file": "${keytab_dir}/dn.service.keytab", + "configuration": "hdfs-site/dfs.datanode.keytab.file", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "configurations": [{ + "hdfs-site": { + "dfs.datanode.address": "0.0.0.0:1019", + "dfs.datanode.http.address": "0.0.0.0:1022" + } + }], + "name": "DATANODE" + }, { + "identities": [{ + "principal": { + "configuration": "hdfs-site/nfs.kerberos.principal", + "type": "service", + "local_username": "${hadoop-env/hdfs_user}", + "value": "nfs/_HOST@${realm}" + }, + "name": "nfsgateway", + "keytab": { + "owner": { + "access": "r", + "name": "${hadoop-env/hdfs_user}" + }, + "file": "${keytab_dir}/nfs.service.keytab", + "configuration": "hdfs-site/nfs.keytab.file", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "name": "NFS_GATEWAY" + }, { + "identities": [{ + "principal": { + "configuration": "hdfs-site/dfs.journalnode.kerberos.principal", + "type": "service", + "local_username": "${hadoop-env/hdfs_user}", + "value": "jn/_HOST@${realm}" + }, + "name": "journalnode_jn", + "keytab": { + "owner": { + "access": "r", + "name": "${hadoop-env/hdfs_user}" + }, + "file": "${keytab_dir}/jn.service.keytab", + "configuration": "hdfs-site/dfs.journalnode.keytab.file", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "hdfs-site/dfs.journalnode.kerberos.internal.spnego.principal", + "type": "service", + "value": "HTTP/_HOST@${realm}" + }, + "name": "/spnego" + }], + "name": "JOURNALNODE" + }, { + "identities": [{ + "principal": { + "configuration": "hdfs-site/dfs.namenode.kerberos.principal", + "type": "service", + "local_username": "${hadoop-env/hdfs_user}", + "value": "nn/_HOST@${realm}" + }, + "name": "namenode_nn", + "keytab": { + "owner": { + "access": "r", + "name": "${hadoop-env/hdfs_user}" + }, + "file": "${keytab_dir}/nn.service.keytab", + "configuration": "hdfs-site/dfs.namenode.keytab.file", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "hdfs-site/dfs.namenode.kerberos.internal.spnego.principal", + "type": "service", + "value": "HTTP/_HOST@${realm}" + }, + "name": "/spnego" + }], + "configurations": [{ + "hdfs-site": { + "dfs.block.access.token.enable": "true" + } + }], + "name": "NAMENODE" + }], + "identities": [{ + "principal": { + "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal", + "type": "service", + "value": "HTTP/_HOST@${realm}" + }, + "name": "/spnego", + "keytab": { + "owner": {}, + "file": "${keytab_dir}/spnego.service.keytab", + "configuration": "hdfs-site/dfs.web.authentication.kerberos.keytab", + "group": {} + } + }, { + "name": "/smokeuser" + }, { + "principal": { + "configuration": "hadoop-env/hdfs_principal_name", + "type": "user", + "local_username": "${hadoop-env/hdfs_user}", + "value": "${hadoop-env/hdfs_user}-${cluster_name}@${realm}" + }, + "name": "hdfs", + "keytab": { + "owner": { + "access": "r", + "name": "${hadoop-env/hdfs_user}" + }, + "file": "${keytab_dir}/hdfs.headless.keytab", + "configuration": "hadoop-env/hdfs_user_keytab", + "group": { + "access": "r", + "name": "${cluster-env/user_group}" + } + } + }], + "auth_to_local_properties": [ + "core-site/hadoop.security.auth_to_local" + ], + "configurations": [{ + "core-site": { + "hadoop.security.authorization": "true", + "hadoop.security.authentication": "kerberos", + "hadoop.proxyuser.HTTP.groups": "${hadoop-env/proxyuser_group}" + } + }], + "name": "HDFS" + }, { + "components": [{ + "configurations": [{ + "tez-site": { + "tez.am.view-acls": "" + } + }], + "name": "TEZ_CLIENT" + }], + "name": "TEZ" + }, { + "components": [{ + "name": "SPARK_CLIENT" + }, { + "name": "SPARK_JOBHISTORYSERVER" + }], + "identities": [{ + "name": "/smokeuser" + }, { + "name": "/HDFS/hdfs" + }, { + "principal": { + "configuration": "spark-defaults/spark.history.kerberos.principal", + "type": "user", + "local_username": "${spark-env/spark_user}", + "value": "${spark-env/spark_user}-${cluster_name}@${realm}" + }, + "name": "sparkuser", + "keytab": { + "owner": { + "access": "r", + "name": "${spark-env/spark_user}" + }, + "file": "${keytab_dir}/spark.headless.keytab", + "configuration": "spark-defaults/spark.history.kerberos.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "configurations": [{ + "spark-defaults": { + "spark.history.kerberos.enabled": "true" + } + }], + "name": "SPARK" + }, { + "components": [{ + "name": "ACCUMULO_MASTER" + }, { + "name": "ACCUMULO_MONITOR" + }, { + "name": "ACCUMULO_CLIENT" + }, { + "name": "ACCUMULO_TRACER" + }, { + "name": "ACCUMULO_TSERVER" + }, { + "name": "ACCUMULO_GC" + }], + "identities": [{ + "principal": { + "configuration": "accumulo-env/accumulo_principal_name", + "type": "user", + "local_username": "${accumulo-env/accumulo_user}", + "value": "${accumulo-env/accumulo_user}-${cluster_name}@${realm}" + }, + "name": "accumulo", + "keytab": { + "owner": { + "access": "r", + "name": "${accumulo-env/accumulo_user}" + }, + "file": "${keytab_dir}/accumulo.headless.keytab", + "configuration": "accumulo-env/accumulo_user_keytab", + "group": { + "access": "r", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "accumulo-site/general.kerberos.principal", + "type": "service", + "local_username": "${accumulo-env/accumulo_user}", + "value": "${accumulo-env/accumulo_user}/_HOST@${realm}" + }, + "name": "accumulo_service", + "keytab": { + "owner": { + "access": "r", + "name": "${accumulo-env/accumulo_user}" + }, + "file": "${keytab_dir}/accumulo.service.keytab", + "configuration": "accumulo-site/general.kerberos.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "accumulo-site/trace.user", + "type": "user", + "local_username": "${accumulo-env/accumulo_user}", + "value": "tracer-${cluster_name}@${realm}" + }, + "name": "accumulo_tracer", + "keytab": { + "owner": { + "access": "r", + "name": "${accumulo-env/accumulo_user}" + }, + "file": "${keytab_dir}/accumulo-tracer.headless.keytab", + "configuration": "accumulo-site/trace.token.property.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "name": "/HDFS/hdfs" + }, { + "name": "/smokeuser" + }], + "configurations": [{ + "accumulo-site": { + "instance.security.authenticator": "org.apache.accumulo.server.security.handler.KerberosAuthenticator", + "instance.rpc.sasl.enabled": "true", + "general.delegation.token.lifetime": "7d", + "trace.token.type": "org.apache.accumulo.core.client.security.tokens.KerberosToken", + "instance.security.permissionHandler": "org.apache.accumulo.server.security.handler.KerberosPermissionHandler", + "general.delegation.token.update.interval": "1d", + "instance.security.authorizor": "org.apache.accumulo.server.security.handler.KerberosAuthorizor" + } + }], + "name": "ACCUMULO" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "zookeeper-env/zookeeper_principal_name", + "type": "service", + "value": "zookeeper/_HOST@${realm}" + }, + "name": "zookeeper_zk", + "keytab": { + "owner": { + "access": "r", + "name": "${zookeeper-env/zk_user}" + }, + "file": "${keytab_dir}/zk.service.keytab", + "configuration": "zookeeper-env/zookeeper_keytab_path", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "name": "ZOOKEEPER_SERVER" + }], + "identities": [{ + "name": "/smokeuser" + }], + "name": "ZOOKEEPER" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "hbase-site/hbase.regionserver.kerberos.principal", + "type": "service", + "local_username": "${hbase-env/hbase_user}", + "value": "hbase/_HOST@${realm}" + }, + "name": "hbase_regionserver_hbase", + "keytab": { + "owner": { + "access": "r", + "name": "${hbase-env/hbase_user}" + }, + "file": "${keytab_dir}/hbase.service.keytab", + "configuration": "hbase-site/hbase.regionserver.keytab.file", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "name": "HBASE_REGIONSERVER" + }, { + "identities": [{ + "principal": { + "configuration": "hbase-site/hbase.master.kerberos.principal", + "type": "service", + "local_username": "${hbase-env/hbase_user}", + "value": "hbase/_HOST@${realm}" + }, + "name": "hbase_master_hbase", + "keytab": { + "owner": { + "access": "r", + "name": "${hbase-env/hbase_user}" + }, + "file": "${keytab_dir}/hbase.service.keytab", + "configuration": "hbase-site/hbase.master.keytab.file", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "name": "HBASE_MASTER" + }, { + "identities": [{ + "principal": { + "configuration": "hbase-site/phoenix.queryserver.kerberos.principal", + "type": "service", + "local_username": "${hbase-env/hbase_user}", + "value": "hbase/_HOST@${realm}" + }, + "name": "hbase_queryserver_hbase", + "keytab": { + "owner": { + "access": "r", + "name": "${hbase-env/hbase_user}" + }, + "file": "${keytab_dir}/hbase.service.keytab", + "configuration": "hbase-site/phoenix.queryserver.keytab.file", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "name": "PHOENIX_QUERY_SERVER" + }], + "identities": [{ + "name": "/spnego" + }, { + "name": "/HDFS/hdfs" + }, { + "principal": { + "configuration": "hbase-env/hbase_principal_name", + "type": "user", + "local_username": "${hbase-env/hbase_user}", + "value": "${hbase-env/hbase_user}-${cluster_name}@${realm}" + }, + "name": "hbase", + "keytab": { + "owner": { + "access": "r", + "name": "${hbase-env/hbase_user}" + }, + "file": "${keytab_dir}/hbase.headless.keytab", + "configuration": "hbase-env/hbase_user_keytab", + "group": { + "access": "r", + "name": "${cluster-env/user_group}" + } + } + }, { + "name": "/smokeuser" + }], + "configurations": [{ + "hbase-site": { + "hbase.coprocessor.master.classes": "{{hbase_coprocessor_master_classes}}", + "hbase.security.authentication": "kerberos", + "hbase.coprocessor.region.classes": "{{hbase_coprocessor_region_classes}}", + "hbase.security.authorization": "true", + "hbase.bulkload.staging.dir": "/apps/hbase/staging", + "zookeeper.znode.parent": "/hbase-secure" + } + }], + "name": "HBASE" + }, { + "components": [{ + "name": "KERBEROS_CLIENT" + }], + "identities": [{ + "name": "/smokeuser" + }], + "name": "KERBEROS" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal", + "type": "service" + }, + "name": "/spnego", + "keytab": { + "owner": {}, + "configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab", + "group": {} + } + }, { + "name": "/smokeuser" + }], + "name": "RANGER_KMS_SERVER" + }], + "identities": [{ + "name": "/spnego", + "keytab": { + "owner": {}, + "configuration": "kms-site/hadoop.kms.authentication.kerberos.keytab", + "group": {} + } + }, { + "name": "/smokeuser" + }], + "configurations": [{ + "kms-site": { + "hadoop.kms.authentication.kerberos.principal": "*", + "hadoop.kms.authentication.type": "kerberos" + } + }], + "name": "RANGER_KMS" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "yarn-site/yarn.nodemanager.principal", + "type": "service", + "local_username": "${yarn-env/yarn_user}", + "value": "nm/_HOST@${realm}" + }, + "name": "nodemanager_nm", + "keytab": { + "owner": { + "access": "r", + "name": "${yarn-env/yarn_user}" + }, + "file": "${keytab_dir}/nm.service.keytab", + "configuration": "yarn-site/yarn.nodemanager.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-principal", + "type": "service", + "value": "HTTP/_HOST@${realm}" + }, + "name": "/spnego", + "keytab": { + "owner": {}, + "file": "${keytab_dir}/spnego.service.keytab", + "configuration": "yarn-site/yarn.nodemanager.webapp.spnego-keytab-file", + "group": {} + } + }], + "configurations": [{ + "yarn-site": { + "yarn.nodemanager.container-executor.class": "org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor" + } + }], + "name": "NODEMANAGER" + }, { + "identities": [{ + "principal": { + "configuration": "yarn-site/yarn.timeline-service.principal", + "type": "service", + "local_username": "${yarn-env/yarn_user}", + "value": "yarn/_HOST@${realm}" + }, + "name": "app_timeline_server_yarn", + "keytab": { + "owner": { + "access": "r", + "name": "${yarn-env/yarn_user}" + }, + "file": "${keytab_dir}/yarn.service.keytab", + "configuration": "yarn-site/yarn.timeline-service.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.principal", + "type": "service", + "value": "HTTP/_HOST@${realm}" + }, + "name": "/spnego", + "keytab": { + "owner": {}, + "file": "${keytab_dir}/spnego.service.keytab", + "configuration": "yarn-site/yarn.timeline-service.http-authentication.kerberos.keytab", + "group": {} + } + }], + "name": "APP_TIMELINE_SERVER" + }, { + "identities": [{ + "principal": { + "configuration": "yarn-site/yarn.resourcemanager.principal", + "type": "service", + "local_username": "${yarn-env/yarn_user}", + "value": "rm/_HOST@${realm}" + }, + "name": "resource_manager_rm", + "keytab": { + "owner": { + "access": "r", + "name": "${yarn-env/yarn_user}" + }, + "file": "${keytab_dir}/rm.service.keytab", + "configuration": "yarn-site/yarn.resourcemanager.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-principal", + "type": "service", + "value": "HTTP/_HOST@${realm}" + }, + "name": "/spnego", + "keytab": { + "owner": {}, + "file": "${keytab_dir}/spnego.service.keytab", + "configuration": "yarn-site/yarn.resourcemanager.webapp.spnego-keytab-file", + "group": {} + } + }], + "name": "RESOURCEMANAGER" + }], + "identities": [{ + "name": "/spnego" + }, { + "name": "/HDFS/hdfs" + }, { + "name": "/smokeuser" + }], + "configurations": [{ + "capacity-scheduler": { + "yarn.scheduler.capacity.root.default.acl_administer_queue": "${yarn-env/yarn_user}", + "yarn.scheduler.capacity.root.acl_administer_queue": "${yarn-env/yarn_user}", + "yarn.scheduler.capacity.root.default.acl_administer_jobs": "${yarn-env/yarn_user}", + "yarn.scheduler.capacity.root.acl_administer_jobs": "${yarn-env/yarn_user}", + "yarn.scheduler.capacity.root.default.acl_submit_applications": "${yarn-env/yarn_user}" + } + }, { + "yarn-site": { + "yarn.timeline-service.http-authentication.signer.secret.provider.object": "", + "yarn.resourcemanager.proxyusers.*.users": "", + "yarn.timeline-service.http-authentication.token.validity": "", + "yarn.admin.acl": "${yarn-env/yarn_user},dr.who", + "yarn.timeline-service.http-authentication.kerberos.name.rules": "", + "yarn.timeline-service.http-authentication.cookie.path": "", + "yarn.timeline-service.http-authentication.type": "kerberos", + "yarn.nodemanager.linux-container-executor.cgroups.mount-path": "", + "yarn.resourcemanager.proxy-user-privileges.enabled": "true", + "yarn.acl.enable": "true", + "yarn.timeline-service.http-authentication.signer.secret.provider": "", + "yarn.timeline-service.http-authentication.proxyusers.*.groups": "", + "yarn.timeline-service.http-authentication.proxyusers.*.hosts": "", + "yarn.timeline-service.http-authentication.signature.secret": "", + "yarn.timeline-service.http-authentication.signature.secret.file": "", + "yarn.resourcemanager.proxyusers.*.hosts": "", + "yarn.resourcemanager.proxyusers.*.groups": "", + "yarn.timeline-service.enabled": "true", + "yarn.timeline-service.http-authentication.proxyusers.*.users": "", + "yarn.timeline-service.http-authentication.cookie.domain": "" + } + }, { + "core-site": { + "hadoop.proxyuser.yarn.groups": "*", + "hadoop.proxyuser.yarn.hosts": "${yarn-site/yarn.resourcemanager.hostname}" + } + }], + "name": "YARN" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "knox-env/knox_principal_name", + "type": "service", + "local_username": "${knox-env/knox_user}", + "value": "${knox-env/knox_user}/_HOST@${realm}" + }, + "name": "knox_principal", + "keytab": { + "owner": { + "access": "r", + "name": "${knox-env/knox_user}" + }, + "file": "${keytab_dir}/knox.service.keytab", + "configuration": "knox-env/knox_keytab_path", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "configurations": [{ + "oozie-site": { + "oozie.service.ProxyUserService.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}", + "oozie.service.ProxyUserService.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}" + } + }, { + "webhcat-site": { + "webhcat.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}", + "webhcat.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}" + } + }, { + "gateway-site": { + "gateway.hadoop.kerberos.secured": "true", + "java.security.krb5.conf": "/etc/krb5.conf" + } + }, { + "core-site": { + "hadoop.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}", + "hadoop.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}" + } + }], + "name": "KNOX_GATEWAY" + }], + "name": "KNOX" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "storm-env/storm_ui_principal_name", + "type": "service" + }, + "name": "/spnego", + "keytab": { + "owner": {}, + "configuration": "storm-env/storm_ui_keytab", + "group": {} + } + }], + "name": "STORM_UI_SERVER" + }, { + "name": "SUPERVISOR" + }, { + "identities": [{ + "principal": { + "configuration": "storm-env/nimbus_principal_name", + "type": "service", + "value": "nimbus/_HOST@${realm}" + }, + "name": "nimbus_server", + "keytab": { + "owner": { + "access": "r", + "name": "${storm-env/storm_user}" + }, + "file": "${keytab_dir}/nimbus.service.keytab", + "configuration": "storm-env/nimbus_keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "name": "NIMBUS" + }, { + "identities": [{ + "principal": { + "configuration": "storm-env/nimbus_principal_name", + "type": "service", + "value": "nimbus/_HOST@${realm}" + }, + "name": "nimbus_server", + "keytab": { + "owner": { + "access": "r", + "name": "${storm-env/storm_user}" + }, + "file": "${keytab_dir}/nimbus.service.keytab", + "configuration": "storm-env/nimbus_keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "name": "DRPC_SERVER" + }], + "identities": [{ + "name": "/spnego" + }, { + "name": "/smokeuser" + }, { + "principal": { + "configuration": "storm-env/storm_principal_name", + "type": "user", + "value": "${storm-env/storm_user}-${cluster_name}@${realm}" + }, + "name": "storm_components", + "keytab": { + "owner": { + "access": "r", + "name": "${storm-env/storm_user}" + }, + "file": "${keytab_dir}/storm.headless.keytab", + "configuration": "storm-env/storm_keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "configurations": [{ + "storm-site": { + "nimbus.authorizer": "backtype.storm.security.auth.authorizer.SimpleACLAuthorizer", + "java.security.auth.login.config": "{{conf_dir}}/storm_jaas.conf", + "drpc.authorizer": "backtype.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer", + "storm.principal.tolocal": "backtype.storm.security.auth.KerberosPrincipalToLocal", + "storm.zookeeper.superACL": "sasl:{{storm_bare_jaas_principal}}", + "ui.filter.params": "{'type': 'kerberos', 'kerberos.principal': '{{storm_ui_jaas_principal}}', 'kerberos.keytab': '{{storm_ui_keytab_path}}', 'kerberos.name.rules': 'DEFAULT'}", + "nimbus.supervisor.users": "['{{storm_bare_jaas_principal}}']", + "nimbus.admins": "['{{storm_bare_jaas_principal}}']", + "ui.filter": "org.apache.hadoop.security.authentication.server.AuthenticationFilter", + "supervisor.enable": "true" + } + }], + "name": "STORM" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "application-properties/atlas.authentication.principal", + "type": "service", + "local_username": "${atlas-env/metadata_user}", + "value": "atlas/_HOST@${realm}" + }, + "name": "atlas", + "keytab": { + "owner": { + "access": "r", + "name": "${atlas-env/metadata_user}" + }, + "file": "${keytab_dir}/atlas.service.keytab", + "configuration": "application-properties/atlas.authentication.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "application-properties/atlas.http.authentication.kerberos.principal", + "type": "service", + "value": "HTTP/_HOST@${realm}" + }, + "name": "/spnego", + "keytab": { + "owner": {}, + "configuration": "application-properties/atlas.http.authentication.kerberos.keytab", + "group": {} + } + }], + "name": "ATLAS_SERVER" + }], + "auth_to_local_properties": [ + "application-properties/atlas.http.authentication.kerberos.name.rules" + ], + "configurations": [{ + "application-properties": { + "atlas.authentication.method": "kerberos", + "atlas.http.authentication.enabled": "true", + "atlas.http.authentication.type": "kerberos" + } + }], + "name": "ATLAS" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "hive-site/hive.server2.authentication.kerberos.principal", + "type": "service", + "local_username": "${hive-env/hive_user}", + "value": "hive/_HOST@${realm}" + }, + "name": "hive_server_hive", + "keytab": { + "owner": { + "access": "r", + "name": "${hive-env/hive_user}" + }, + "file": "${keytab_dir}/hive.service.keytab", + "configuration": "hive-site/hive.server2.authentication.kerberos.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "hive-site/hive.server2.authentication.spnego.principal", + "type": "service" + }, + "name": "/spnego", + "keytab": { + "owner": {}, + "configuration": "hive-site/hive.server2.authentication.spnego.keytab", + "group": {} + } + }], + "name": "HIVE_SERVER" + }, { + "identities": [{ + "principal": { + "configuration": "hive-site/hive.metastore.kerberos.principal", + "type": "service", + "local_username": "${hive-env/hive_user}", + "value": "hive/_HOST@${realm}" + }, + "name": "hive_metastore_hive", + "keytab": { + "owner": { + "access": "r", + "name": "${hive-env/hive_user}" + }, + "file": "${keytab_dir}/hive.service.keytab", + "configuration": "hive-site/hive.metastore.kerberos.keytab.file", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "name": "HIVE_METASTORE" + }, { + "identities": [{ + "principal": { + "configuration": "webhcat-site/templeton.kerberos.principal", + "type": "service" + }, + "name": "/spnego", + "keytab": { + "owner": {}, + "configuration": "webhcat-site/templeton.kerberos.keytab", + "group": {} + } + }], + "name": "WEBHCAT_SERVER" + }], + "identities": [{ + "name": "/spnego" + }, { + "name": "/smokeuser" + }], + "configurations": [{ + "hive-site": { + "hive.metastore.sasl.enabled": "true", + "hive.server2.authentication": "KERBEROS" + } + }, { + "webhcat-site": { + "templeton.hive.properties": "hive.metastore.local=false,hive.metastore.uris=${clusterHostInfo/hive_metastore_host|each(thrift://%s:9083, \\\\,, \\s*\\,\\s*)},hive.metastore.sasl.enabled=true,hive.metastore.execute.setugi=true,hive.metastore.warehouse.dir=/apps/hive/warehouse,hive.exec.mode.local.auto=false,hive.metastore.kerberos.principal=hive/_HOST@${realm}", + "templeton.kerberos.secret": "secret" + } + }, { + "core-site": { + "hadoop.proxyuser.HTTP.hosts": "${clusterHostInfo/webhcat_server_host}" + } + }], + "name": "HIVE" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "ams-hbase-security-site/hbase.master.kerberos.principal", + "type": "service", + "local_username": "${ams-env/ambari_metrics_user}", + "value": "amshbasemaster/_HOST@${realm}" + }, + "name": "ams_hbase_master_hbase", + "keytab": { + "owner": { + "access": "r", + "name": "${ams-env/ambari_metrics_user}" + }, + "file": "${keytab_dir}/ams-hbase.master.keytab", + "configuration": "ams-hbase-security-site/hbase.master.keytab.file", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "ams-hbase-security-site/hbase.regionserver.kerberos.principal", + "type": "service", + "local_username": "${ams-env/ambari_metrics_user}", + "value": "amshbasers/_HOST@${realm}" + }, + "name": "ams_hbase_regionserver_hbase", + "keytab": { + "owner": { + "access": "r", + "name": "${ams-env/ambari_metrics_user}" + }, + "file": "${keytab_dir}/ams-hbase.regionserver.keytab", + "configuration": "ams-hbase-security-site/hbase.regionserver.keytab.file", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "ams-hbase-security-site/hbase.myclient.principal", + "type": "service", + "local_username": "${ams-env/ambari_metrics_user}", + "value": "amshbase/_HOST@${realm}" + }, + "name": "ams_collector", + "keytab": { + "owner": { + "access": "r", + "name": "${ams-env/ambari_metrics_user}" + }, + "file": "${keytab_dir}/ams.collector.keytab", + "configuration": "ams-hbase-security-site/hbase.myclient.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "ams-hbase-security-site/ams.zookeeper.principal", + "type": "service", + "local_username": "${ams-env/ambari_metrics_user}", + "value": "amszk/_HOST@${realm}" + }, + "name": "ams_zookeeper", + "keytab": { + "owner": { + "access": "r", + "name": "${ams-env/ambari_metrics_user}" + }, + "file": "${keytab_dir}/ams-zk.service.keytab", + "configuration": "ams-hbase-security-site/ams.zookeeper.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "configurations": [{ + "ams-hbase-security-site": { + "hbase.coprocessor.master.classes": "org.apache.hadoop.hbase.security.access.AccessController", + "hadoop.security.authentication": "kerberos", + "hbase.security.authentication": "kerberos", + "hbase.coprocessor.region.classes": "org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController", + "hbase.security.authorization": "true", + "zookeeper.znode.parent": "/ams-hbase-secure", + "hbase.zookeeper.property.kerberos.removeRealmFromPrincipal": "true", + "hbase.zookeeper.property.jaasLoginRenew": "3600000", + "hbase.zookeeper.property.authProvider.1": "org.apache.zookeeper.server.auth.SASLAuthenticationProvider", + "hbase.zookeeper.property.kerberos.removeHostFromPrincipal": "true" + } + }], + "name": "METRICS_COLLECTOR" + }], + "identities": [{ + "name": "/spnego" + }], + "name": "AMBARI_METRICS" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "kafka-env/kafka_principal_name", + "type": "service", + "value": "${kafka-env/kafka_user}/_HOST@${realm}" + }, + "name": "kafka_broker", + "keytab": { + "owner": { + "access": "r", + "name": "${kafka-env/kafka_user}" + }, + "file": "${keytab_dir}/kafka.service.keytab", + "configuration": "kafka-env/kafka_keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }], + "name": "KAFKA_BROKER" + }], + "identities": [{ + "name": "/smokeuser" + }], + "configurations": [{ + "kafka-broker": { + "principal.to.local.class": "kafka.security.auth.KerberosPrincipalToLocal", + "authorizer.class.name": "kafka.security.auth.SimpleAclAuthorizer", + "super.users": "user:${kafka-env/kafka_user}", + "security.inter.broker.protocol": "PLAINTEXTSASL" + } + }], + "name": "KAFKA" + }, { + "components": [{ + "identities": [{ + "principal": { + "configuration": "falcon-startup.properties/*.falcon.service.authentication.kerberos.principal", + "type": "service", + "local_username": "${falcon-env/falcon_user}", + "value": "falcon/_HOST@${realm}" + }, + "name": "falcon_server", + "keytab": { + "owner": { + "access": "r", + "name": "${falcon-env/falcon_user}" + }, + "file": "${keytab_dir}/falcon.service.keytab", + "configuration": "falcon-startup.properties/*.falcon.service.authentication.kerberos.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + } + } + }, { + "principal": { + "configuration": "falcon-startup.properties/*.falcon.http.authentication.kerberos.principal", + "type": "service", + "value": "HTTP/_HOST@${realm}" + }, + "name": "/spnego", + "keytab": { + "owner": {}, + "configuration": "falcon-startup.properties/*.falcon.http.authentication.kerberos.keytab", + "group": {} + } + }], + "name": "FALCON_SERVER" + }], + "identities": [{ + "name": "/spnego" + }, { + "name": "/smokeuser" + }, { + "name": "/HDFS/hdfs" + }], + "auth_to_local_properties": [ + "falcon-startup.properties/*.falcon.http.authentication.kerberos.name.rules|new_lines_escaped" + ], + "configurations": [{ + "falcon-startup.properties": { + "*.dfs.namenode.kerberos.principal": "nn/_HOST@${realm}", + "*.falcon.http.authentication.type": "kerberos", + "*.falcon.authentication.type": "kerberos" + } + }], + "name": "FALCON" + }], + "properties": { + "additional_realms": "", + "keytab_dir": "/etc/security/keytabs", + "realm": "EXAMPLE.COM" + } +} \ No newline at end of file
